[geeklog-cvs] geeklog: Fixed viewing of an article if the user did not have ac...
geeklog-cvs at lists.geeklog.net
geeklog-cvs at lists.geeklog.net
Wed Apr 25 10:54:17 EDT 2012
changeset 8624:67f6783ca6c5
url: http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/67f6783ca6c5
user: Tom <websitemaster at cogeco.net>
date: Tue Apr 24 10:21:31 2012 -0400
description:
Fixed viewing of an article if the user did not have access to other topics that the article belong too
Added permission checking to breadcrumbs. A Breadcrumb will now not display if a user does not have access to the topic
diffstat:
system/classes/story.class.php | 18 ++++++++----------
system/lib-topic.php | 17 ++++++++++++-----
2 files changed, 20 insertions(+), 15 deletions(-)
diffs (88 lines):
diff -r 92b9809e7fd6 -r 67f6783ca6c5 system/classes/story.class.php
--- a/system/classes/story.class.php Sun Apr 22 20:12:05 2012 +0100
+++ b/system/classes/story.class.php Tue Apr 24 10:21:31 2012 -0400
@@ -596,7 +596,14 @@
$story['perm_members'], $story['perm_anon']);
//$this->_access = min($access, SEC_hasTopicAccess($this->_tid));
- $this->_access = min($access, TOPIC_hasMultiTopicAccess('article', $sid));
+ //$this->_access = min($access, TOPIC_hasMultiTopicAccess('article', $sid));
+ if ($mode != 'view') {
+ // When editing an article they need access to all topics article is assigned to plus edit access to article itself
+ $this->_access = min($access, TOPIC_hasMultiTopicAccess('article', $sid));
+ } else {
+ // When viewing a article we only care about if it has access to the current topic and article
+ $this->_access = min($access, TOPIC_hasMultiTopicAccess('article', $sid, $topic));
+ }
if ($this->_access == 0) {
return STORY_PERMISSION_DENIED;
@@ -634,15 +641,6 @@
$this->_comment_expire = 0;
}
- /* Tom
- if (DB_getItem($_TABLES['topics'], 'archive_flag', "tid = '{$this->_tid}'") == 1) {
- $this->_frontpage = 0;
- } elseif (isset($_CONF['frontpage'])) {
- $this->_frontpage = $_CONF['frontpage'];
- } else {
- $this->_frontpage = 1;
- }
- */
if (isset($_CONF['frontpage'])) {
$this->_frontpage = $_CONF['frontpage'];
} else {
diff -r 92b9809e7fd6 -r 67f6783ca6c5 system/lib-topic.php
--- a/system/lib-topic.php Sun Apr 22 20:12:05 2012 +0100
+++ b/system/lib-topic.php Tue Apr 24 10:21:31 2012 -0400
@@ -563,11 +563,12 @@
* (need to handle 'all' and 'homeonly' as special cases)
*
* @param string $type Type of object to find topic access about. If 'topic' then will check post array for topic selection control
-* @param string/array $id ID of object to check topic access for
+* @param string/array $id ID of object to check topic access for (not requried if $type is 'topic')
+* @param string/array $tid ID of topic to check topic access for (not requried and not used if $type is 'topic')
* @return int returns 3 for read/edit 2 for read only 0 for no access
*
*/
-function TOPIC_hasMultiTopicAccess($type, $id = '')
+function TOPIC_hasMultiTopicAccess($type, $id = '', $tid = '')
{
global $_TABLES;
@@ -604,7 +605,10 @@
} else {
// Retrieve Topic options
$sql = "SELECT tid FROM {$_TABLES['topic_assignments']} WHERE type = '$type' AND id ='$id'";
-
+ if ($tid != '') {
+ $sql .= " AND tid = '$tid'";
+ }
+
$result = DB_query($sql);
$A = DB_fetchArray($result);
$nrows = DB_numRows($result);
@@ -623,6 +627,7 @@
$A = DB_fetchArray($result);
$tid = $A['tid'];
}
+
$current_access = SEC_hasTopicAccess($tid);
if ($access > $current_access) {
$access = $current_access;
@@ -1285,10 +1290,12 @@
'breadcrumb_t' => 'breadcrumb.thtml'));
if ($type == 'topic') {
- $sql = "SELECT tid FROM {$_TABLES['topics']} WHERE tid = '{$id}'";
+ $sql = "SELECT tid FROM {$_TABLES['topics']}
+ WHERE tid = '{$id}'" . COM_getPermSQL('AND', 0, 2);
} else {
// Retrieve all topics assignments that point to this object
- $sql = "SELECT tid FROM {$_TABLES['topic_assignments']} WHERE type = '{$type}' AND id = '{$id}'";
+ $sql = "SELECT ta.tid FROM {$_TABLES['topic_assignments']} ta, {$_TABLES['topics']} t
+ WHERE ta.type = '{$type}' AND ta.id = '{$id}' and t.tid = ta.tid" . COM_getPermSQL('AND', 0, 2, 't');
}
$result = DB_query($sql);
$nrows = DB_numRows($result);
More information about the geeklog-cvs
mailing list